Cybersecurity Safeguards Investment Firms Should Take Amidst the Russia-Ukraine Crisis

Over the last few weeks, as the Russia-Ukraine crisis has escalated on the ground, concern for Russian cyber-attacks has also increased – not just against Ukraine but anyone in support of Ukraine or doing business with Ukraine. There is also higher risk of cyber-attacks on critical macro infrastructure of Russian adversaries. This could include utilities such as electric grids and energy delivery, as well as healthcare including hospitals and centralized medical networks.

On top of this, another sector at increased risk includes financial systems, particularly larger institutions and fintech platforms, such as SWIFT. This could even trickle down to investment firms due to ties with larger financial institutions. Therefore, it's prudent for investment firms to heighten alertness towards cybersecurity.

The Cybersecurity and Infrastructure Security Agency (CISA), the National Cyber Security Centre (NCSC) and other global agencies are encouraging firms to bolster their cyber resilience. CISA issued a rare cyber “Shields Up” warning shortly before Russian invaded Ukraine, saying “Every organization—large and small—must be prepared to respond to disruptive cyber activity.”

Here at Abacus, our Cybersecurity team has been monitoring the developing events and is on heightened alert. We are encouraging our clients to be extra vigilant with suspicious activity, particularly around phishing emails.

In general, this is also a good time for investment firms to review internal cybersecurity policies. Here is a list of good questions for your firm to consider:

• Do you have multi-factor authentication (MFA) and are you enforcing it at every opportunity?
• What is your password expiration and rotation policy?
• Are you utilizing web filtering on your corporate firewalls?
• Are you properly protecting your firm’s computers with managed anti-virus software and regular patching?
• Are your users restricted from having local admin rights on computers?
• Do you have a process in place to approve wire transfers?
• Are your users trained on how to handle spear phishing attacks, both verbal and digital?
• Does your cybersecurity program have proper internal business sponsorship, or do you still see it as a technology function?
• Are you requiring annual cybersecurity education training and phishing tests for all of your employees?

Perhaps your firm made some one-off cybersecurity policy exceptions in the last few years without giving proper thought to the ramifications of opening holes in your firm’s cyber defense. Some common decisions that your firm might have been OK with in the past that we recommend you revisit are:

• “I can't have my PM change his password that often”
• “My head trader will lose his mind if I force MFA on him”
• “My CFO wants to use a Mac and doesn’t want to hook it up to MDM”
• “When so and so runs a speed test on VPN, they don’t get their full internet speeds, so disable VPN”
• “Our anti-virus software makes my PC run slower, so remove it”
  

Abacus makes this essential oversight and governance simple for our clients by providing extensive reporting within our abacusPortal. Take this opportunity to review your policies, settings, and incident response procedures. And be sure all your employees are aware of the heightened alert level.